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Abstract 

Propagation criteria and resiliency of vectorial Boolean functions 
are important for cryptographic purpose (see [1], [2], [3], [4], [7], [8], 
[10], [11] and [16]). Kurosawa , Stoh [8] and Carlet [1] gave a con- 
struction of Boolean functions satisfying PC (I) of order k from binary 
linear or nonlinear codes. In this paper algebraic-geometric codes 
over GF(2 m ) are used to modify the Carlet and Kurosawa- Satoh's 
construction for giving vectorial resilient Boolean functions satisfying 
PC (I) of order k criterion. This new construction is compared with 
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previously known results. 



Index Terms — Cryptography, Boolean functions, algebraic- geometric 
codes 

I. Introduction and Preliminaries 

In cryptography vectorial Boolean functions are used in many applica- 
tions (see [2] and [3]). Propagation criterion of degree I and order k is one of 
the most general properties of Boolean functions which has to be satisfied for 
cryptographic purpose. It was introduced in Preneel et al [11], which extends 
the property strictly avalanche criterion SAC in [16]. For a Boolean func- 
tion f(x) = (xi, ...,£„) of n variables, set = f(x) + f(x + a), f satisfies 
PC(l) if is a balanced Boolean function for any a with 1 < wt(a) < I. 
When the function obtained from / by keeping any k variables fixed satisfies 
PC (I), we say / has the property PC (I) of order k. For a vectorial Boolean 
function f = x n ), f m (xi, x n )) it is called (n,m) — PC{1) of 

order k if any nonzero linear combination of fi, f m satisfies PC (I) of or- 
der k. We say f satisfies SAC(k) if it has PC(1) of order k property. A 
vectorial Boolean function f = (fi( )) is called k- 

resilient, if any nonzero linear combination Sjaj/j is a A;- resilient. Resiliency 
of vectorial Boolean functions are relevant to quantum key distribution and 
pseudo-random sequence generators for stream ciphers (see [1], [2], [3], [4] 
and [17]). 

We recall the Maiorana-MacFarland construction of vectorial Boolean 
functions. Let fa : GF(2) S — > GF(2) r be vectorial Boolean functions for 
i — 1, m, the class of Maiorana-MacFarland (r + s, m) Boolean functions is 
the set of the functions F(x, y) of the form F(x, y) — (x ■ fa(y) + hi(y), x • 
<t>m{y) + hmiv)) ■■ GF(2Y+ S — GF(2) m , (x,y) E GF(2) r x GF{2)% where 
hi, h m are Boolean functions of s variables. It is well known that F(x, y) 
is at least t-resilient if aifa(y) + ■ ■ ■ + a m (/) m (y), for any nonzero (oi, a m ) G 
GF(2) m and any y £ GF(2) S ) has its Hamming weight at least t+ 1 (see [1], 
[2] and [3]). 

PC(n) Boolean functions of n variables are just the perfect nonlinear 
functions introduced by W.Meier and O.Staffebach [10]. They exist only 
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when n is even. Bent functions are the examples of this kind of functions 
(see [10] and [16]). People only have few constructions of PC (I) of order k 
Boolean functions. In [1] and [8] PC (I) of order k (vectorial) Boolean func- 
tions were constructed from binary linear or nonlinear codes. For satisfying 
the conditions of the construction the minimum distances of the binary codes 
and its dual have to be lower bounded. Some lower bounds on the minimum 
length (which is the half of the variable number in the Kurosawa-Satoh con- 
struction ) of these binary linear codes were studied in [9]. 

From [1] and [8] we know the following results. 

Kurosawa-Satoh Theorem ([8]). Let C\ be a linear binary code of 
length s and minimum distance di and dual distance d[, C 2 be a linear bi- 
nary code of length t with minimum distance d 2 and dual distance d' 2 . Set 
I = min{d' 1 , d' 2 } — 1 and k = min{di, d 2 } — 1. Then the Boolean functions of 
s + t variables satisfying PC (I) of order k can be explicitly given. 

Corollary 1 ([8] and [9]). Let C be a linear binary code with minimum 
distance at least k+l and dual distance at least l + l. Then Boolean functions 
of 2n variables satisfying PC (I) of order k can be explicitly given. 

Carlet Theorem ([1]). For a Boolean function f(x,y) = x ■ (p{y) + g(y) 
from GF(2) r+s to GF(2), f satisfies PC {I) of order k if the following two 
conditions are satified. 

1 ) the sum of at least 1 and at most I coordinates of <p is k-resilient; 

2) if b G GF(2) S is nonzero and has its weight smaller than or equal to I, at 
least k + l coordinates of the words <p(y + b) and (f>(y) differ. 

In this paper the functions 0j's in the Mair ana- MacFar land construction 
are of the form Aiy + Vi, where Ai is a fixed r x s matrix over GF(2) and V{ 
is a fixed vector in GF(2) r , for i — 1, m. 

Let us now recall some basic facts about AG-codes (algebraic-geometric 
codes, see [12], [13] and [14]). Let X be an absolutely irreducible, projective 
and smooth curve defined over GF(q) with genus g, P = {Pi, P n } be a set 
of CF(g)-rational points of X and G be a GF(g)-rational divisor satisfying 
supp(G) f]P = 0, 2g - 2 < deg(G) < n. Let L(G) = {/:(/) + G > 0} 
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be the linear space (over GF(q)) of all rational functions with its divisor 
not smaller than — G and Q(B) = {uo : (to) > B} be the linear space of 
all differentials with their divisors not smaller than B. Then the functional 
AG-code C L (P, G) C GF(q) n and residual AG-code C n (P, G) C GF(q) n are 
defined. Cl(D, G) is a [n, k — deg(G) — g + 1, d > n — deg(G)] code over 
GF(q) and C Q (P, G) is a [n, k = n - deg(G) +g-l,d> deg(G) - 2g + 2] 
code over GF(q). We know that the functional code is just the evaluations of 
functions in L(G) at the points in P and the residual code is just the residues 
of differentials in Q,(G — P) at the points in P. 

We also know that Cl(P,G) and Cq(P,G) are dual codes. It is known 
that for a differential rj that has poles at P±, ...P n with residue 1 (there always 
exists such a n, see [12]) we have Cq(P, G) = C L (P, P — G + (rf)) , the function 
/ corresponds to the differential fn. This means that functional codes and 
residue codes are essentially the same. For many examples of AG codes we 
refer to [12], [13] and [14]. 

From the theory of algebraic curves over finite fields, there exist alge- 
braic curves {X t } defined over GF(q 2 ) with the property lim ^^J = q — 1 
(Drinfeld-Vladut bound) (see [5] and [13]), where N(X t ) is the number of 
GF(q 2 ) rational points on the curve X t and g(X t ) is the genus of the curve X t . 
Actually for this family of curves N(X t ) > (q — l)q f + 1, g(X t ) = q f — 2<p + 1 
for t even and g(X t ) = q l — q~ — q~ + 1 for t odd (see [5]). 

For a AG-code over GF(2 m ) its expansion to some base B of GF(2 m ) over 
GF(2) will be used in our construction. Let {e±, .., e m } be a base of GF(2 m ) 
as a linear space over GF(2). For a [n, k, d] linear code C C GF(2 m ) n , the ex- 
pansion with respect to the base B is a binary linear code B(C) C GF(2) mn 
consisting of all codewords B(x) = (B(xi), B(x n )),x = (xi,..,x n ) G C. 
Here B( Xj) is a length vn binary vector (xj, ...,x™), where Xj — ^- ,1 J! = i-^i^j G 
GF(2 m ). It is easy to verify that the binary linear code B(C) is [mn, mk, > d] 
code. It is well known that there exists a self-dual base B for any finite field 
GF(2 m ) of characteristic 2. The following result is useful in our construction. 

Proposition 1 ([6]). Let B be a self-dual base of GF(2 m ) over GF(2) 
and C be a linear code over GF{2 m ). Then the dual code 3(C) 1 - is just 
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B(C L ). 



A divisor G on the curve X is called effective if the coefficients of all points 
in the support G are non-negative. We say G\ > G 2 if G\ — G 2 is an effective 
divisor. This gives a partial order relation on the set of all divisors. Let 
Ui, U m be divisors on the curve X, set max{Ui, U m } the smallest divi- 
sor U such that U — Ui is effective for all i — 1, ...,m and min{Ui, U m } the 
biggest divisor U' such that C/j — U' is effective for alH = 1, m. For m divi- 
sors t/i, U m and it is clear the intersection f|i = L(min{Ui, U m }), 
f)iQ(Ui) = Q(max{Ui, ...,U m }), the linear span of L(Ui), L{U m ) is just 
L(max{U u ?7 m }). 

II. Main Result 

The following Theorem 1 and Corollary 2 are the main results of this 
paper. 

Theorem 1. Let X (resp. X' ) be a projective, absolutely irreducible 
smooth curve of genus g (resp. g' ) defined over GF{2 W ) (resp. GF(2 W ) ), P 
(resp. P') be a set ofn GF(2 w )(resp. n' , GF(2 W ) ) rational points on X (resp. 
X'), U 1: ...,U m (resp. U[,...,U'J be GF{2 W ) (resp. GF(2 W ' ) -rational effective 
divisors on X (resp. X' ) satisfying 2g — 2 < deg(max{Ui, U m }) < n and 
supp(max{Ui, U m }) f]P = (resp. 2g' — 2 < deg(max{U[, U' m }) < n' , 
supp(max{U{, ...,U^}) f]P' = fy). Suppose w(deg(Ui) — g+l) = w'(deg(U-) — 
g'+ 1) for i — 1, m. H is another GF(2 W ^-rational effective divisor on X' 
satisfying deg(H) + deg(max{U[, ..,£7^}) < n' and w'(deg(H) — g' + 1) > m. 
It is assumed that U[, U' m , H are disjoint divisors (that is, their supports 
are disjoint). Then we have (wn + w'n' , m) vectorial t-resilient PC (I) of or- 
der k Boolean functions with wn + w'n' variables, where 

I = min{deg(max{Ui, U m }) — 2g + 1, 

deg(max{U[,...,UU})-2g'+l} 
k = min{n — deg(max{Ui, U rn }) — 1, 

n' — deg(max{U[, U' m }) — 1} 
t — n' — deg(max{U[, U' m , H}) — 1. 

If the curves, the bases of the linear space L{Ui) 's and fl(Ui) 's(resp. L(U[) 's, 
L(H) andQ(U-) 's ) are explicitly given, the (wn+w'n' ,m) vectorial t-resilient 
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PC (I) of order k Boolean functions can be explicitly given. 

Proof. We consider the linear codes D\ = C L (P,Ui),D l 2 = C L (P',Ul), 
then (Di) ± = C n (P, Uj, (D^) 1 - = C n (P',Ul). Let B and B' be the self 
dual bases of GF(2 W ) and GF(2 W ' over GF(2). We will use the linear 
binary codes C\ = B(D\),C2 = B'(D\). From Proposition 1 (CI) 1 - = 
S(C a (P,C/ i )),(C|) ± = B'(C n (P',Ul)). The code parameters of C[ and C\ 
are [ton, w(deg(Ui—g+l), > n—deg(Ui)} and [w/n', m'(deg(U-) — g'+l), > n'— 
deg(Ul)]. The code parameters of (CI) 1 - and (C^) 1 - are [wn, «;(n — deg(Ui) + 
5-1), > deg(U i )-2g+2] and [u/n', ^/(n'-de^+^-l), > deg(U[)-2g'+2}. 

Let Qi and i?j be the generator matrices of the binary linear codes C\ 
and C\ respectively, for i = l,...,m . Here we note that Qi's (resp R^s) 
are w(deg(Ui) — g + 1) x «m matrices (resp. w'(deg(U-) — g' + 1) x it/n' 
matrices. Since w'(deg(H) — g' + 1) > m, we can find to linear indepen- 
dent vectors ...,v m in the binary linear code B(Cl(H, P')). Set </>i(y) = 
(Ri) T Qi(y) + Vi,y<E GF(2) wn for i — 1, ...,m, in Maiorana-MacFarland con- 
struction we get our («;?7, + w'n', to) Boolean function f = (/i, / m ). Here 
0j's are mappings from GF(2) wn to GF(2) w ' n ' . The image of 0j is the coset 
Vi + C\ for % — 1, to. 

For any nonzero linear combination ai/i + ... + a m f m , we set (/>(?/) = 
^itti<pi(y) + SjOifj. Then it is clear that T li a i (j)i(y) is in the binary linear 
code B'(Cl(P', max{U[, C^})) and Tj^Vi is in the binary linear code 
B'(Cl(P', H)). Because max{U[, U^} and H are disjoint, so E^a,;^?/) + 
EjOjfj is not zero. On the other hand this is a nonzero code word in 
B'(Cl(P', max{U[, C/^, H})), its weight is at least n'—deg(max{U[, C/^, 
Hence f is t- resilient. 

From the above argument it is also known that <j)(y) = Sja^^y) + SjajVj 
is in the coset of the binary linear code B'(Cl(P', max{U[, U^})), for 
any y G GF(2) wn . Thus the sum of arbitrary j (where, 1 < j < I) co- 
ordinates 7 • (j)(y) (here 7 G GF(2) w ' n ' , 1 < 1^(7) < /) of this function 
</)(y) is a nonzero function, since / is less than the Hamming distance of the 
code B'(C Q (P',max{U[,...,U' m })) = (B'(C L (P', max{U[, U^})))- 1 . On 
the other hand J-(fi(y) is of the form u-y+l or u-y (depending on 7-(Sajf j) = 1 
or 0), where u is a nonzero codeword in B(Cl(P', max{U[, U' m })) with 
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weight at least k + 1. Thus 7 • cf>(y) is a A;- resilient function. The 1st condi- 
tion of the Carlet Theorem is satisfied. 

For any b G GF(2) wn , <j>{y + b) + 0(y) = <p{b). If 6 has its weight smaller 
than or equal to /, it is not in B(Cn(P, max{U 1 , U m })), thus Qib can not 
be zero for all i = l,...,m. Thus at least one (Ri) T Qib is not zero. From 
the condition U[, ■■■■ t U' m are disjoint effective divisors on X', we know that 
4>(b) = T,iai(Ri) T Qib is a nonzero codeword in B(Cl(P', max{U[ , U' m })). 
Thus 4>{b) has its weight at least k + 1. The 2nd condition of the Carlet 
Theorem is satisfied. The conclusion is proved. 

It is well known in the theory of algebraic curves over finite fields, there 
are many curves over GF(2 W ) (see [12], [13] and [14]) with various numbers of 
rational points and genuses. Thus when we use Theorem 1 for constructing 
vectorial t-resilient PC (I) of order k functions, we have very flexible choices of 
parameters I, k, wn + w'n'. This is quite similar to the role of algebraic curves 
in the theory of error- correcting codes. Therefore the algebraic-geometric 
method offer us numerous vectorial i-resilient PC (I) of order k functions. 
Moreover the supports of the divisors Ui, U m , U[, U' m , H need no to 
be the GF(2 W ) (or GF(2 W )) rational points, it is sufficient the divisors are 
GF(2 W ) (or GF{2 W )-rational. Thus we can easily choose the sets of points P, 
P' and the divisors to construct vectorial resilient PC (I) of order k Boolean 
functions. 

III. Constructions 

In this section some examples of vectorial i-resilient PC (I) of order k 
Boolean functions are constructed from Theorem 1 . Comparing our con- 
structions with the previously known PC {I) of order k functions in [1] and 
[8], it seems our constructed vectorial t-resilient PC (I) of order k functions 
are quite good. 

We take X = X' the genus g curve which is defined over GF(2 W ), Ui = U[, 
% — 1, ...,m, m disjoint effective divisors which are rational over GF{2 W ). In 
the case m is small and deg(Ui) = deg(U-) = t is not 1, we can always choose 
the supports of U^s outside all GF{2 W ) rational points on X, for example, we 
can choose their supports to be GF(2 2w, )-rational points of X. In the follow- 
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ing example, P — P' are n GF(2 W ) points of X. So the only restriction is the 
upper bound of n < N(X), the number of £^(2™) -rational points of X. Be- 
cause Ui, U m are disjoint, max{Ui, U m } = U\ + ... + U m . Set H another 
degree t' GF(2 w )-rational effective divisor satisfying 2g — 2 < deg(H) < n , 
w{t'— g+1) > m , which is supported on GF(2 2u, )-rational points and disjoint 
to Ui, U rn . In this construction we have (2wn, m) vectorial (n—mt—t' — l)- 
resilient Boolean functions satisfying PC(mt — 2g + l) of order n — mt — 1. 

Example 1. We use the genus curve over GF(A) in the construction. 
Then (20,2) vectorial PC (5) function is constructed if we take m = 2,t = 
2,ra = 5. 

Example 2. We use the genus 1 curve over GF(A) in the construction, 
then n < 9 (see [12] and [14]). We have (An, m) vectorial (n — mt — t' — 1)- 
resilient PC(mt — 1) of order n — mt — 1 Boolean functions, where 2t' > m. 
Thus (36,4) vectorial PC (7) Boolean functions are constructed, (36,3) vec- 
torial PC (5) of order 1 Boolean functions are constructed, (24,2) vectorial 
PC (3) of order 1 Boolean functions are constructed. 

When m — 1, t — 2 we have (n — 5)-resilient SAC(n — 3) functions of An 
variables for n — 5, 6, 7, 8, 9. 

Example 3. We use the genus 4 curve over GF(A) in the construction, 
then n < 15 (see [14]). The (An, m) vectorial (n — mt — t' — l)-resilient 
PC(mt — 7) of order n — mt — 1 Boolean functions are constructed, where 
2(t' — 3) > m. Thus we have (60,7) vectorial PC (7) Boolean functions, 
(44,5) vectorial PC (3) Boolean functions, (48,5) vectorial PC (3) of order 
1 Boolean functions, and (60, 6) vectorial PC (5) of order 2Boolean functions. 

When m = 4, t = 2 we have (An, A) vectorial (n — 14)-resilient SAC(n — 9) 
Boolean functions. For example, (60,4) vectorial 1-resilient SAC(Q) Boolean 
functions are constructed. 

Example 4. We use the Klein quartic X, an algebraic curve over 
GF(8) of genus 3, then n < 24. From the construction (6n, m) vectorial 
(n — mt — t' — l)-resilient PC(mt — 5) of order n — mt — 1 Boolean functions 
are constructed for n — 7, 8, 24, where 3(t' — 2) > m. There are at least 19 
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degree 2 GF(8)-rational divisors on X (see [14]). Thus we have (90,7) vec- 
torial PC (9) Boolean functions, (90,6) vectorial PC (7) of order 4 Boolean 
functions. When n = 10,. ..,24, we have (6n, 3) vectorial (n — 10)-resilient 
SAC(n — 7) Boolean functions. 

Corollary 2. Let X be an algebraic curve over GF(2 W ) with genus g and 
n GF(2 W ) rational points and there are at least 2g GF{2 2w ) -rational points on 
X. Then we have (2wn, g) vectorial (n— |~^f] — 1) -resilient SAC '(n — 2g — 1) 
Boolean functions. 

Applying Theorem 1 to Garcia-Stichtenoth curves [5] over GF(2 2w ), we 
have the following result. 

Corollary 3. For positive integers w > 2 and h> 1, we have (4wn,m) 
vectorial Boolean functions satisfying PC (mt—2 2wh+1 +1) of order (n—mt—1) 
for m and n satisfying 2 2wh+1 + 1 < n < (2 W — l)2 2wh and m < n. 

Comparing with the constructions in [1] and [8] we can see our method 
based on AG-codes offers more flexibilities for the parameters wn+w'n', m, t, k 
and I. The main result is more suitable for constructing vectorial resilient 
Boolean functions satisfying propagation criteria, because there are many 
GF(2™)-rational divisors on the algebraic curves. 

IV. Conclusion 

In this paper we presented a method based on AG-codes for construct- 
ing (n, m) vectorial t-resilient Boolean functions satisfying PC {I) of order k 
functions . The parameters n, m, t, k and / in our constructions can be chosen 
quite flexibly. Many such functions of less than 100 variables have been given 
in our examples. 
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